\n
\/usr\/local\/cpanel\/logs\/session_log<\/code><\/pre>\n<\/div>\n\n
<\/div>\n<\/div>\n
\n
The login_log<\/em> shows you all the failed logins to various cPanel services, the IP in question, and the reason for failure.<\/p>\n<\/div>\n\n
\/usr\/local\/cpanel\/logs\/login_log<\/code><\/pre>\n<\/div>\n\n
<\/div>\n<\/div>\n
\n
<\/span>Cron Logs<\/span><\/h3>\n<\/div>\n\n
This is the first thing to look for when you have any cron job issues. It will list the user, the time that the cron ran, and the specific command executed by the cron, among other errors.<\/p>\n<\/div>\n
\n
\/var\/log\/cron<\/code><\/pre>\n<\/div>\n\n
<\/div>\n<\/div>\n
\n
<\/span>ModSecurity Logs<\/span><\/h3>\n<\/div>\n\n
ModSecurity is an open-source web application firewall (WAF) that protects your web applications from attacks.<\/p>\n<\/div>\n
\n
ModSecurity hits will also be in the main Apache error log file, containing enough information for whitelisting rules. But that log can also be full of other background noise. This log will only show ModSecurity hits and be more verbose and easier to read.<\/p>\n<\/div>\n
\n
\/var\/log\/apache2\/modsec_audit.log<\/code><\/pre>\n<\/div>\n\n
<\/div>\n<\/div>\n
\n
<\/span>PHP-FPM Logs<\/span><\/h3>\n<\/div>\n\n
PHP-FPM<\/em> (FastCGI Process Manager) is the most modern PHP handler currently. It will often cause your site to hang in case it needs to protect the rest of the server from overload, so it’s one of the first things you should check in similar situations.<\/p>\n<\/div>\n\n
Depending upon the PHP version, they are located in different directories. For the following directory path, replace XX<\/em> with the PHP version number your site uses currently.<\/p>\n<\/div>\n\n
\/opt\/cpanel\/ea-phpXX\/root\/usr\/var\/log\/php-fpm<\/code><\/pre>\n<\/div>\n\n
<\/div>\n<\/div>\n
\n
The following error log is separate from the one for your sites. Many cPanel services use PHP-FPM<\/em> as their handler, so any related issues to that will be stored here.<\/p>\n<\/div>\n\n
\/usr\/local\/cpanel\/logs\/php-fpm\/error.log<\/code><\/pre>\n<\/div>\n\n
<\/div>\n<\/div>\n
\n
<\/span>CSF log file<\/span><\/h3>\n<\/div>\n\n
While not a part of cPanel, the ConfigServer Firewall (CSF) is a powerful firewall built around iptables that have been implemented on servers to enhance overall security and protect against various threats.<\/p>\n
The lfd.log<\/em> file is the main log file for the Login Failure Daemon (LFD) process, which is a ConfigServer Firewall (CSF) component dedicated to brute force protection. By examining the lfd.log<\/em> file, you can track repeated failed login attempts, what IP address was blocked, and which service it was trying to access.<\/p>\n<\/div>\n\n
\/var\/log\/lfd.log<\/code><\/pre>\n<\/div>\n\n
<\/div>\n<\/div>\n
\n
The csf.deny<\/em> file is where you will find a list of IP addresses and Classless Inter-Domain Routing (CIDR) blocks that are denied access to the server. This file is updated by the CSF system whenever an IP address or range is identified as posing a threat, such as multiple failed login attempts or triggering a rule in the firewall.<\/p>\n<\/div>\n\n
\/etc\/csf\/csf.deny<\/code><\/pre>\n<\/div>\n\n
<\/div>\n<\/div>\n
\n
The csf.allow<\/em> log is another important configuration file containing a list of IP addresses explicitly allowed access to the server. This file grants specific IP addresses unrestricted access to the server, bypassing the firewall’s rules and filters. This log is where you should place your IP address, but you should generally be cautious about which IP addresses you allow through this file.<\/p>\n<\/div>\n\n
\/etc\/csf\/csf.allow<\/code><\/pre>\n<\/div>\n\n
<\/div>\n<\/div>\n
\n
<\/span>Email Logs<\/span><\/h3>\n<\/div>\n\n
The mail log file is a more general email log file that mainly shows the Dovecot authentication logs for all POP3\/IMAP connections.<\/p>\n<\/div>\n
\n
\/var\/log\/maillog<\/code><\/pre>\n<\/div>\n